<?php

	
	/**
	 * This function is used to login.
	 */ 
	function loginCheck() {
		if(isset($_POST['login_button'])){
			$username = $_POST['username'];
			$_SESSION['username'] = $username;		
			$password = $_POST['pass'];
			
			//encrypt password
			$password = crypt($password, '$2b$z7$passstring$');
			
			//Select user from the database
			$sql = sprintf("SELECT * 
							FROM users
							WHERE username = '%s' 
							AND pass = '%s'",
							mysql_real_escape_string($username),
							mysql_real_escape_string($password));						
			$result = mysql_query($sql);
		
			if($row = mysql_fetch_assoc($result)) {
				/*User groups
				 * 1 = regular user
				 * 0 = bezoeker
				 * 2 = admin (can manage users)
				 */
				$_SESSION['level'] = $row['level'];
			
				header('Location: index.php?action=home');
			}
			else {
				echo 'Login failed. <a href="index.php?action=login">Go back to login</a> or <a href="index.php?action=displayForgotPassword">Forgot password?</a>';
			}
		}
	}
	
	/**
	 * This function displays the login form.
	 */
	function displayLogin() {
		
			echo"<h1>Login</h1>";
			echo"<form method=\"post\" action=\"index.php?action=loginCheck\">";
			echo" 	<table border=\"1\">";
			echo"		<tr>";
			echo"			<td>Username:</td>";
			echo"			<td><input type=\"text\" name=\"username\"/></td>";
			echo"		</tr>";
			echo"		<tr>";
			echo"			<td>Password:</td>";
			echo"			<td><input type=\"password\" name=\"pass\"/></td>";
			echo"		</tr>";
			echo"		<tr>";	
			echo"			<td><input type=\"submit\" name=\"login_button\" value=\"Login\" /></td>";
			echo"			<td><a href=\"index.php?action=displayForgotPassword\">Forgot your password?</a></td>";
			echo"		</tr>";	
			echo" 	</table>";
			echo"</form>";
	}
	
	/**
	 * This page displays the password change page
	 */
	function displayChangePassword() {
		
			echo"<h1>Change password</h1>";
			echo"<form method=\"post\" action=\"index.php?action=changePassword\">";
			echo" 	<table border=\"1\">";
			echo"		<tr>";
			echo"			<td>Old password:</td>";
			echo"			<td><input type=\"password\" name=\"pass_old\"/></td>";
			echo"		</tr>";
			echo"		<tr>";
			echo"			<td>New password:</td>";
			echo"			<td><input type=\"password\" name=\"pass_new\"/></td>";
			echo"		</tr>";
			echo"		<tr>";	
			echo"			<td><input type=\"submit\" name=\"change_pass_button\" value=\"Change password\" /></td>";
			echo"			<td></td>";
			echo"		</tr>";	
			echo" 	</table>";
			echo'<a href="index.php?action=home">Go back to homepage</a>';
			echo"</form>";
	}
	
	/**
	 * This function changes the password in the database.
	 */
	function changePassword() {
		if(isset($_POST['change_pass_button'])) {
			$sql = sprintf("SELECT *
						FROM users
						WHERE username='%s'
						AND pass='%s'",
					mysql_real_escape_string($_SESSION['username']),
					mysql_real_escape_string(crypt($_POST['pass_old'], '$2b$z7$passstring$')));
			$result = mysql_query($sql);
			
			if(mysql_num_rows($result) == 1) {
				$sql = sprintf("UPDATE users
								SET pass='%s'
								WHERE username='%s'",
					mysql_real_escape_string(crypt($_POST['pass_new'],'$2b$z7$passstring$')),
					mysql_real_escape_string($_SESSION['username']));
				mysql_query($sql);
				echo 'Password has been changed! <a href="index.php?action=home">Go back to the homepage</a>';
			}
			else {
				echo 'The old password you entered was incorrect, please try again. <a href="index.php?action=displayChangePassword">Go back</a>';
			}
		}
		else {
			echo 'Do not directly access this page! Please go back.';
		}
	}
	
	/**
	 * Password forgotten page. On this page you can recover your password.
	 */
	function displayForgotPassword() {
	
		echo"<h1>Forgot password</h1>";
		echo"<form method=\"post\" action=\"index.php?action=newPassword\">";
		echo" 	<table border=\"1\">";
		echo"		<tr>";
		echo"			<td>Gebruikers ID:</td>";
		echo"			<td><input type=\"text\" name=\"username\"/></td>";
		echo"		</tr>";
		echo"		<tr>";
		echo"			<td>E-mail:</td>";
		echo"			<td><input type=\"text\" name=\"email\"/></td>";
		echo"		</tr>";
		echo"		<tr>";	
		echo"			<td><input type=\"submit\" name=\"send_button\" value=\"Send new password\" /><a href=\"index.php?action=login\">Terug</a></td>";
		echo"			<td></td>";
		echo"		</tr>";	
		echo" 	</table>";
		echo"</form>";
	}
	
	/*
	 * This functions generates a new random password and sends it to the user's email. 
	 * The database will be updated with the new password.
	 */
	function newPassword() {
	
		$sql = sprintf("SELECT *
						FROM users
						WHERE username='%s'
						AND email = '%s'",
					mysql_real_escape_string($_POST['username']),
					mysql_real_escape_string($_POST['email']));	
		$result = mysql_query($sql);
		
		if(mysql_num_rows($result) < 1) {
			echo"No user found.<br />";
			echo '<a href="index.php?action=displayForgotPassword">Go back.</a>';
		}
		else {
			$password = "";
			$length = 6;
			
			//Generate a random password
			$possible = "123467890abcdefghijkmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
			
			for($i = 0;$i<$length;$i) {
				$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
				$password .= $char;
				$i++;
				
			}
			
			//Send an email with the new password
			$to      = $_POST['email'].'';
			$subject = 'New password';
			$message = 'Your new password: '.$password."\r\n";
			$message .= 'Please change your password after you login again <a href="index.php?action=displayChangePassword">here.</a>';
			$headers = 'From: postmaster@localhost.net' . "\r\n" .
			'Reply-To: webmaster@example.com' . "\r\n";

			mail($to, $subject, $message, $headers);
			
			echo 'A new password has been sent to your email.<br /> <a href="index.php?action=login">Go back to login page.</a>';
			
			//Test field!
			echo $password;
			
			
			$password = crypt($password, '$2b$z7$passstring$');
			$sql = sprintf("UPDATE users
							SET pass='%s'
							WHERE username='%s'
							AND email = '%s'",
						$password,
						mysql_real_escape_string($_POST['username']),
						mysql_real_escape_string($_POST['email']));						
			mysql_query($sql);
		}
	
		
	}
	
	/*
	 * Log out function, sets the user level to 0, which is equal to having no rights.
	 */
	function logout() {
		$_SESSION['level'] = 0;
		session_destroy();
		header('Location: index.php?action=home');
	}	

?>